I'm not absolutely 100% sure of this (i.e. I haven't thoroughly ruled
out weird freak scenarios, I suppose) but AFAICT so far, the problem
happens with the kernel RPMS (still happens with 2.6.4-1.257) but not
with mainline kernel source (at least, not with 2.6.4-rc2-bk1; I'm
about to try 2.6.4 final).
IOW, I think it's probably a patch being added by Red Hat. As I said,
though, I'm not 100% sure of this. I'm trying to find time to test
this hypothesis conclusively (and, if the hypothesis is correct,
narrow it down to the patch in question).

Ok, I can now 100% confirm that:
(a) the oops does not happen with 2.6.4 mainline source
(b) once I apply the patches that are applied by the 2.6.4-1.257 SPEC
file, in the order that the SPEC file applies them, the resulting
kernel has the oopsing problem
I am now working on seeing which patch causes the problem.

it's most likely the 4g/4g patch.
Without that patch a driver can violate the driver API on x86 and do
direct userspace access, which works most of the time. Unless the page
in question is swapped out or if a bad address is passed in.
With the 4g4g patch, use of the correct API's is basically a requirement.
It looks to me like the write_fan() function is accessing the
*userspace* pointer directly without copying it to a kernel space
buffer with copy_from_user.